Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
89s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2022, 02:31 UTC
Behavioral task
behavioral1
Sample
a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral2
Sample
out.exe
Resource
win10v2004-20220812-en
General
-
Target
a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
-
Size
2.4MB
-
MD5
ee577c6818e4c4fdfac6221a7678453e
-
SHA1
39b172bc8d5f47e512e0ba90f70ce21661618273
-
SHA256
a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1
-
SHA512
935d466a1de6d03ed5f8287bae32b52d86451c83a1d1d88cc99951d9b8f475b152fc07763d705417faf7386d1327cc033490bbb6a183d13f34a2adb3b7ddf198
-
SSDEEP
49152:dRkVU7z3NhvRaZhTm6mxd2YYglcAxRXK/poKGheD7YJ4zSreZMn2j+w2D:dPv3z6hTN/YYETxhK/WKGheD7YJ4zKey
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
resource yara_rule behavioral1/memory/3464-132-0x0000000000400000-0x0000000000718000-memory.dmp detect_ak_stuff behavioral1/memory/3464-133-0x0000000000400000-0x0000000000718000-memory.dmp detect_ak_stuff -
resource yara_rule behavioral1/memory/3464-132-0x0000000000400000-0x0000000000718000-memory.dmp upx behavioral1/memory/3464-133-0x0000000000400000-0x0000000000718000-memory.dmp upx -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3464 a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe 3464 a4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe
Processes
Network
-
DNSupdate-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.coma4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exeRemote address:8.8.8.8:53Requestupdate-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.comIN AResponseupdate-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.comIN A106.14.229.99
-
GEThttps://update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com/wxr-notice-update.htmla4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exeRemote address:106.14.229.99:443RequestGET /wxr-notice-update.html HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: zh-cn
Referer: https://update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com/wxr-notice-update.html
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com
ResponseHTTP/1.1 404 Not Found
Date: Thu, 29 Sep 2022 02:32:36 GMT
Content-Type: application/xml
Content-Length: 304
Connection: keep-alive
x-oss-request-id: 633503C40BFD853936D95E63
x-oss-server-time: 2
-
Remote address:8.8.8.8:53Requestntp.ntsc.ac.cnIN AResponsentp.ntsc.ac.cnIN A114.118.7.163ntp.ntsc.ac.cnIN A114.118.7.161
-
Remote address:8.8.8.8:53Requestoss.aliyuncs.comIN AResponseoss.aliyuncs.comIN A118.178.29.5
-
Remote address:118.178.29.5:80RequestGET / HTTP/1.1
Connection: Keep-Alive
Date: Wed, 28 Sep 2022 18:32:36 GMT
Accept: */*
Authorization: OSS LTAI4FzpPaBn74nsma1FK9JZ:jt77GonvMED8eM2i2g0vSyXCzpI=
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: oss.aliyuncs.com
ResponseHTTP/1.1 403 Forbidden
Date: Thu, 29 Sep 2022 02:32:39 GMT
Content-Type: application/xml
Content-Length: 446
Connection: keep-alive
x-oss-request-id: 633503C753BCC6383165A302
x-oss-server-time: 1
-
106.14.229.99:443https://update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com/wxr-notice-update.htmltls, httpa4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe1.1kB 6.3kB 10 8
HTTP Request
GET https://update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com/wxr-notice-update.htmlHTTP Response
404 -
118.178.29.5:80http://oss.aliyuncs.com/httpa4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe491 B 802 B 5 3
HTTP Request
GET http://oss.aliyuncs.com/HTTP Response
403 -
322 B 7
-
322 B 7
-
322 B 7
-
322 B 7
-
8.8.8.8:53update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.comdnsa4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe108 B 124 B 1 1
DNS Request
update-liulanqi-45691295-163music.oss-cn-shanghai.aliyuncs.com
DNS Response
106.14.229.99
-
60 B 92 B 1 1
DNS Request
ntp.ntsc.ac.cn
DNS Response
114.118.7.163114.118.7.161
-
8.8.8.8:53oss.aliyuncs.comdnsa4babb0e052f972640a840da092cc2b70544f04eb6d3c5fb0699747093c85cb1.exe62 B 78 B 1 1
DNS Request
oss.aliyuncs.com
DNS Response
118.178.29.5